心爱的RabbitMQ Management Plugin有一个HTTP API来通过普通的HTTP请求来管理RabbitMQ。
我们需要以编程方式创建用户,并且HTTP API是您选择的方式。文档很少,但API非常简单直观。
关注安全性,我们不希望以纯文本形式传递用户密码,而API提供了一个字段来代替发送密码哈希。从那里引用:
[GET | PUT |删除] / api / users / 名称
个人用户。要为用户提供服务,您需要看一看身体 像这样的东西:
{"password":"secret","tags":"administrator"}或:
{"password_hash":"2lmoth8l4H0DViLaK9Fxi6l9ds8=", "tags":"administrator"}标签键是必需的。必须设置
password或password_hash。
到目前为止,这么好,问题是:如何正确生成password_hash?
在RabbitMQ的配置文件中配置password hashing algorithm,我们将其配置为默认的SHA256。
我正在使用C#,并使用以下代码生成哈希:
var cr = new SHA256Managed();
var simplestPassword = "1";
var bytes = cr.ComputeHash(Encoding.UTF8.GetBytes(simplestPassword));
var sb = new StringBuilder();
foreach (var b in bytes) sb.Append(b.ToString("x2"));
var hash = sb.ToString();
这不起作用。在一些用于SHA256加密的在线工具中进行测试,代码产生了预期的输出。但是,如果我们进入管理页面并手动将用户密码设置为“1”,那么它就像魅力一样。
This answer让我导出配置并看看RabbitMQ正在生成的哈希值,我意识到了一些事情:
password_hash RabbitMQ将其存储而无需更改我也接受其他编程语言的建议,而不仅仅是C#。
答案 0 :(得分:10)
来自:http://rabbitmq.1065348.n5.nabble.com/Password-Hashing-td276.html
但是,如果要实现它,算法非常简单 你自己。这是一个有效的例子:
生成随机32位盐:
CA D5 08 9B
使用密码的UTF-8表示连接(在此处 案例“simon”):
CA D5 08 9B 73 69 6D 6F 6E
采用MD5哈希:
CB 37 02 72 AC 5D 08 E9 B6 99 4A 17 2B 5F 57 12
再次连接盐:
CA D5 08 9B CB 37 02 72 AC 5D 08 E9 B6 99 4A 17 2B 5F 57 12
并转换为base64编码:
ytUIm8s3AnKsXQjptplKFytfVxI =
您应该能够修改代码以遵循此过程
答案 1 :(得分:4)
对于懒人(比如我;)),有一个代码用于计算带有Sha512的RabbitMq密码,用于框架.Net Core。
public static class RabbitMqPasswordHelper
{
public static string EncodePassword(string password)
{
using (RandomNumberGenerator rand = RandomNumberGenerator.Create())
using (var sha512 = SHA512.Create())
{
byte[] salt = new byte[4];
rand.GetBytes(salt);
byte[] saltedPassword = MergeByteArray(salt, Encoding.UTF8.GetBytes(password));
byte[] saltedPasswordHash = sha512.ComputeHash(saltedPassword);
return Convert.ToBase64String(MergeByteArray(salt, saltedPasswordHash));
}
}
private static byte[] MergeByteArray(byte[] array1, byte[] array2)
{
byte[] merge = new byte[array1.Length + array2.Length];
array1.CopyTo(merge, 0);
array2.CopyTo(merge, array1.Length);
return merge;
}
}
答案 2 :(得分:3)
以防万一,Waldo的完整代码应该是下一个
//Rextester.Program.Main is the entry point for your code. Don't change it.
//Compiler version 4.0.30319.17929 for Microsoft (R) .NET Framework 4.5
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text.RegularExpressions;
using System.Security.Cryptography;
using System.Text;
namespace Rextester
{
public static class RabbitMqPasswordHelper
{
public static string EncodePassword(string password)
{
using (RandomNumberGenerator rand = RandomNumberGenerator.Create())
using (var sha256 = SHA256.Create())
{
byte[] salt = new byte[4];
rand.GetBytes(salt);
byte[] saltedPassword = MergeByteArray(salt, Encoding.UTF8.GetBytes(password));
byte[] saltedPasswordHash = sha256.ComputeHash(saltedPassword);
return Convert.ToBase64String(MergeByteArray(salt, saltedPasswordHash));
}
}
private static byte[] MergeByteArray(byte[] array1, byte[] array2)
{
byte[] merge = new byte[array1.Length + array2.Length];
array1.CopyTo(merge, 0);
array2.CopyTo(merge, array1.Length);
return merge;
}
}
public class Program
{
public static void Main(string[] args)
{
//Your code goes here
Console.WriteLine(Rextester.RabbitMqPasswordHelper.EncodePassword("MyPassword"));
}
}
}
您可以在http://rextester.com/上在线投放。程序输出将包含您的哈希值。
Christianclinton的Python版本(https://gist.github.com/christianclinton/faa1aef119a0919aeb2e)
#!/bin/env/python
import hashlib
import binascii
# Utility methods for generating and comparing RabbitMQ user password hashes.
#
# Rabbit Password Hash Algorithm:
#
# Generate a random 32 bit salt:
# CA D5 08 9B
# Concatenate that with the UTF-8 representation of the password (in this
# case "simon"):
# CA D5 08 9B 73 69 6D 6F 6E
# Take the MD5 hash:
# CB 37 02 72 AC 5D 08 E9 B6 99 4A 17 2B 5F 57 12
# Concatenate the salt again:
# CA D5 08 9B CB 37 02 72 AC 5D 08 E9 B6 99 4A 17 2B 5F 57 12
# And convert to base64 encoding:
# ytUIm8s3AnKsXQjptplKFytfVxI=
#
# Sources:
# http://rabbitmq.1065348.n5.nabble.com/Password-Hashing-td276.html
# http://hg.rabbitmq.com/rabbitmq-server/file/df7aa5d114ae/src/rabbit_auth_backend_internal.erl#l204
# Test Case:
# print encode_rabbit_password_hash('CAD5089B', "simon")
# print decode_rabbit_password_hash('ytUIm8s3AnKsXQjptplKFytfVxI=')
# print check_rabbit_password('simon','ytUIm8s3AnKsXQjptplKFytfVxI=')
def encode_rabbit_password_hash(salt, password):
salt_and_password = salt + password.encode('utf-8').encode('hex')
salt_and_password = bytearray.fromhex(salt_and_password)
salted_md5 = hashlib.md5(salt_and_password).hexdigest()
password_hash = bytearray.fromhex(salt + salted_md5)
password_hash = binascii.b2a_base64(password_hash).strip()
return password_hash
def decode_rabbit_password_hash(password_hash):
password_hash = binascii.a2b_base64(password_hash)
decoded_hash = password_hash.encode('hex')
return (decoded_hash[0:8], decoded_hash[8:])
def check_rabbit_password(test_password, password_hash):
salt, hash_md5sum = decode_rabbit_password_hash(password_hash)
test_password_hash = encode_rabbit_password_hash(salt, test_password)
return test_password_hash == password_hash
玩得开心!
答案 3 :(得分:2)
这是PowerShell中的一个-在@ derick-bailey开瓶器中提到使用SHA512而不是MD5-但是您可以通过更改$hash和$salt
param (
$password
)
$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
$hash = [System.Security.Cryptography.SHA512]::Create()
[byte[]]$salt = New-Object byte[] 4
$rand.GetBytes($salt)
#Uncomment the next 2 to replicate derick baileys sample
#[byte[]]$salt = 0xCA, 0xD5, 0x08, 0x9B
#$hash = [System.Security.Cryptography.Md5]::Create()
#Write-Host "Salt"
#[System.BitConverter]::ToString($salt)
[byte[]]$utf8PasswordBytes = [Text.Encoding]::UTF8.GetBytes($password)
#Write-Host "UTF8 Bytes"
#[System.BitConverter]::ToString($utf8PasswordBytes)
[byte[]]$concatenated = $salt + $utf8PasswordBytes
#Write-Host "Concatenated"
#[System.BitConverter]::ToString($concatenated)
[byte[]]$saltedHash = $hash.ComputeHash($concatenated)
#Write-Host "SHA512:"
#[System.BitConverter]::ToString($saltedHash)
[byte[]]$concatenatedAgain = $salt + $saltedHash
#Write-Host "Concatenated Again"
#[System.BitConverter]::ToString($concatenatedAgain)
$base64 = [System.Convert]::ToBase64String($concatenatedAgain)
Write-Host "BASE64"
$base64
答案 4 :(得分:1)
适合那些寻求Go解决方案的人。下面的代码将生成一个32字节的随机密码,或者使用给定密码输入一个标志并将其进行哈希处理,因此您可以在Rabbit的定义文件的“ password_hash”字段中使用
package main
import (
"crypto/rand"
"crypto/sha256"
"encoding/base64"
"flag"
"fmt"
mRand "math/rand"
"time"
)
var src = mRand.NewSource(time.Now().UnixNano())
func main() {
input := flag.String("password", "", "The password to be encoded. One will be generated if not supplied")
flag.Parse()
salt := [4]byte{}
_, err := rand.Read(salt[:])
if err != nil {
panic(err)
}
pass := *input
if len(pass) == 0 {
pass = randomString(32)
}
saltedP := append(salt[:], []byte(pass)...)
hash := sha256.New()
_, err = hash.Write(saltedP)
if err != nil {
panic(err)
}
hashPass := hash.Sum(nil)
saltedP = append(salt[:], hashPass...)
b64 := base64.StdEncoding.EncodeToString(saltedP)
fmt.Printf("Password: %s\n", string(pass))
fmt.Printf("Hash: %s\n", b64)
}
const (
letterBytes = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
letterIdxBits = 6 // 6 bits to represent a letter index
letterIdxMask = 1<<letterIdxBits - 1 // All 1-bits, as many as letterIdxBits
letterIdxMax = 63 / letterIdxBits // # of letter indices fitting in 63 bits
)
func randomString(size int) string {
b := make([]byte, size)
// A src.Int63() generates 63 random bits, enough for letterIdxMax letters!
for i, cache, remain := size-1, src.Int63(), letterIdxMax; i >= 0; {
if remain == 0 {
cache, remain = src.Int63(), letterIdxMax
}
if idx := int(cache & letterIdxMask); idx < len(letterBytes) {
b[i] = letterBytes[idx]
i--
}
cache >>= letterIdxBits
remain--
}
return string(b)
}
答案 5 :(得分:0)
这是我前段时间偶然发现的一个小型python脚本(属性在脚本中),非常适合快速生成哈希。它不执行任何错误检查,因此非常简单:
#!/usr/bin/env python3
# rabbitMQ password hashing algo as laid out in:
# http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/2011-May/012765.html
from __future__ import print_function
import base64
import os
import hashlib
import struct
import sys
# This is the password we wish to encode
password = sys.argv[1]
# 1.Generate a random 32 bit salt:
# This will generate 32 bits of random data:
salt = os.urandom(4)
# 2.Concatenate that with the UTF-8 representation of the plaintext password
tmp0 = salt + password.encode('utf-8')
# 3. Take the SHA256 hash and get the bytes back
tmp1 = hashlib.sha256(tmp0).digest()
# 4. Concatenate the salt again:
salted_hash = salt + tmp1
# 5. convert to base64 encoding:
pass_hash = base64.b64encode(salted_hash)
print(pass_hash.decode("utf-8"))
答案 6 :(得分:0)
有趣的是bash版本!
#!/bin/bash
function encode_password()
{
SALT=$(od -A n -t x -N 4 /dev/urandom)
PASS=$SALT$(echo -n $1 | xxd -ps | tr -d '\n' | tr -d ' ')
PASS=$(echo -n $PASS | xxd -r -p | sha512sum | head -c 128)
PASS=$(echo -n $SALT$PASS | xxd -r -p | base64 | tr -d '\n')
echo $PASS
}
echo encode_password "some password"
答案 7 :(得分:0)
这是使用Java的一种方法。
/**
* Generates a salted SHA-256 hash of a given password.
*/
private String getPasswordHash(String password) {
var salt = getSalt();
try {
var saltedPassword = concatenateByteArray(salt, password.getBytes(StandardCharsets.UTF_8));
MessageDigest digest = MessageDigest.getInstance("SHA-256");
byte[] hash = digest.digest(saltedPassword);
return Base64.getEncoder().encodeToString(concatenateByteArray(salt,hash));
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
}
}
/**
* Generates a 32 bit random salt.
*/
private byte[] getSalt() {
var ba = new byte[4];
new SecureRandom().nextBytes(ba);
return ba;
}
/**
* Concatenates two byte arrays.
*/
private byte[] concatenateByteArray(byte[] a, byte[] b) {
int lenA = a.length;
int lenB = b.length;
byte[] c = Arrays.copyOf(a, lenA + lenB);
System.arraycopy(b, 0, c, lenA, lenB);
return c;
}
答案 8 :(得分:0)
这是bash中此脚本的一个版本,可以在带有openSSL的BusyBox上使用
#!/bin/bash
function get_byte()
{
local BYTE=$(head -c 1 /dev/random | tr -d '\0')
if [ -z "$BYTE" ]; then
BYTE=$(get_byte)
fi
echo "$BYTE"
}
function encode_password()
{
BYTE1=$(get_byte)
BYTE2=$(get_byte)
BYTE3=$(get_byte)
BYTE4=$(get_byte)
SALT="${BYTE1}${BYTE2}${BYTE3}${BYTE4}"
PASS="$SALT$1"
TEMP=$(echo -n "$PASS" | openssl sha256 -binary)
PASS="$SALT$TEMP"
PASS=$(echo -n "$PASS" | base64)
echo "$PASS"
}
encode_password $1```
答案 9 :(得分:0)
尝试使用 HareDu API。如果您使用 .NET Core 2 或更高版本,请使用 https://github.com/ahives/HareDu2/blob/master/docs/README.md。如果您使用 .NET 5,请使用 https://github.com/ahives/HareDu3/blob/master/docs/broker-api.md。这两个库都有一个哈希函数,您可以通过它执行以下操作:
var result = await services.GetService<IBrokerObjectFactory>()
.CreateUser("testuser3", "testuserpwd3", "gkgfjjhfjh".ComputePasswordHash(),
x =>
{
x.WithTags(t =>
{
t.Administrator();
});
});